They're hackable with physical access. But with physical access you can also snip a brake line, wire in a bomb, so much other stuff. They're basically unhackable over-the-air. (Source: did a bunch of research as a "security expert" when my company needed to release some official statements).
So it's good for disguising an "accident" but not really anything to worry about otherwise.
Here's the whitepaper on how it's been done. It took them a year of phyiscal access to come up with a solution that could theoretically be done entirely remotely, for one specific firmware version of car, resulting in an attack that takes hours in order to work. http://illmatics.com/Remote%20Car%20Hacking.pdf It's just absolutely not worth doing
With the exception of Tesla and their remote-updates, there's not the capability in the car for that to happen.
It'd be like if I hacked your phone to shock you. There's no taser built into your phone. There's no hardware that can do that.
Safety critical automotive systems 1) don't have the ability to over-the-air update, 2) are designed so that they can't be controlled from other systems.
So hacking a car to make it swerve into another crash and turn into a fireball would be like me hacking your toaster to jump into your bathtub.
So when OnStar disables a vehicle remotely, that's not over the air? If they can remotely trigger the ignition, what makes you think a nefarious entity can't trigger a fuel sending unit?
Into doing what? Spraying fuel all over the car? The fuel sending unit doesn't have that ability. You could maybe fuck with the trims and cause the engine to run lean until you blow some rings, but I've done that and it's not a high-speed highway crash situation.
The typical thing is to just make the car accelerate. Not much of a different explanation for driving into the back of a semi. Hit the gas instead of the brake? This is indeed a perfect way to conceal the hit job.
I used to work in the automotive cyber industry. If your car has a connection to the internet - it can be hacked.
All you need is a way into the CAN bus. The CAN bus is the electrical cable(s) that controls basically everything in the car, including your windows, lights, gear, gear interlock, brakes, and gas.
Your entertainment system is connected to it (so for example, it can show the radio station on your dashboard). Meaning, you hack that (and its not hard), you pretty much control the entire car.
It's an old system from the 80s and has ZERO security measures. It's extremely easy to control a car through the internet given a connection.
It's decently easy if you have access to the canbus, yes. But getting remote access to the canbus is anything but "extremely easy"
You have to scan networks until the right vin pops up, rewrite the infotainment software to give you a backdoor into canbus, upload the new iso to the infotainment system, do more hacking to get the software to mount your iso to emulate a USB drive to bypass those security features, and then get through the entire update process while all the modems are disabled.
If it was extremely easy it wouldn't have taken the two specialists an entire year to pull off - with physical access. If it was extremely easy mossad would have hacked that nuclear specialists car instead of setting up a remote turret/carbomb. We would hack isis leaders cars instead of dronestriking them. If you still think it's easy I'll send you my vin and give you 10:1 odds on a friendly wager!
Because what it all comes down to is: Putting a few holes in the fuel line and brake line is 10,000x easier.
No, you don't need to rewrite the infotainment software. Most of those systems run some variation of android with security patches from like 2015. You can find easy exploits online right now. If you think that's the hard part I've got some news for you...
The hard part is actually locating and getting access to the system in the first place, not actually hacking it - considering the backdoor access alphabet agencies have.
Shouldn't be too hard though with the might of the US intelligence, especially if you use a SIM card for your internet connection...
Not into safety-critical systems. You could spy on someone, lock/unlock their car, or turn the engine on/off, but you're not gonna disable the brakes, lock the throttle wide open, disable the gear shift...
Only if they're self-driving. I'll never purchase a vehicle that doesn't have an entirely physical mechanism with, at most, digital assistance like antilock. Never will I have a "stay in your lane" assist-type-deal.
Engines have had drive by wire throttles for almost 20 years. Any car with a lane departure system, follow distance assist or a parallel parking assist has motors attached to steering and brakes. All computer controlled. The engine can be started, stopped, revved, redlined, or blown up and the car can be steered or braked.
You know the new cars? You drive every day. Hackable.
They're hackable with physical access. But with physical access you can also snip a brake line, wire in a bomb, so much other stuff. They're basically unhackable over-the-air. (Source: did a bunch of research as a "security expert" when my company needed to release some official statements).
So it's good for disguising an "accident" but not really anything to worry about otherwise.
Here's the whitepaper on how it's been done. It took them a year of phyiscal access to come up with a solution that could theoretically be done entirely remotely, for one specific firmware version of car, resulting in an attack that takes hours in order to work. http://illmatics.com/Remote%20Car%20Hacking.pdf It's just absolutely not worth doing
With the exception of Tesla and their remote-updates, there's not the capability in the car for that to happen.
It'd be like if I hacked your phone to shock you. There's no taser built into your phone. There's no hardware that can do that.
Safety critical automotive systems 1) don't have the ability to over-the-air update, 2) are designed so that they can't be controlled from other systems.
So hacking a car to make it swerve into another crash and turn into a fireball would be like me hacking your toaster to jump into your bathtub.
So when OnStar disables a vehicle remotely, that's not over the air? If they can remotely trigger the ignition, what makes you think a nefarious entity can't trigger a fuel sending unit?
Into doing what? Spraying fuel all over the car? The fuel sending unit doesn't have that ability. You could maybe fuck with the trims and cause the engine to run lean until you blow some rings, but I've done that and it's not a high-speed highway crash situation.
The typical thing is to just make the car accelerate. Not much of a different explanation for driving into the back of a semi. Hit the gas instead of the brake? This is indeed a perfect way to conceal the hit job.
I can start my truck anywhere in the world, tell me why anyone needs physical access to it?
'Cause your car doesn't have a "catch on fire" option built in just waiting for the right code to run.
Edit: I'm responding to the specific claim that hacking requires physical access, it does not.
Not true.
I used to work in the automotive cyber industry. If your car has a connection to the internet - it can be hacked.
All you need is a way into the CAN bus. The CAN bus is the electrical cable(s) that controls basically everything in the car, including your windows, lights, gear, gear interlock, brakes, and gas.
Your entertainment system is connected to it (so for example, it can show the radio station on your dashboard). Meaning, you hack that (and its not hard), you pretty much control the entire car.
It's an old system from the 80s and has ZERO security measures. It's extremely easy to control a car through the internet given a connection.
It's decently easy if you have access to the canbus, yes. But getting remote access to the canbus is anything but "extremely easy"
You have to scan networks until the right vin pops up, rewrite the infotainment software to give you a backdoor into canbus, upload the new iso to the infotainment system, do more hacking to get the software to mount your iso to emulate a USB drive to bypass those security features, and then get through the entire update process while all the modems are disabled.
If it was extremely easy it wouldn't have taken the two specialists an entire year to pull off - with physical access. If it was extremely easy mossad would have hacked that nuclear specialists car instead of setting up a remote turret/carbomb. We would hack isis leaders cars instead of dronestriking them. If you still think it's easy I'll send you my vin and give you 10:1 odds on a friendly wager!
Because what it all comes down to is: Putting a few holes in the fuel line and brake line is 10,000x easier.
No, you don't need to rewrite the infotainment software. Most of those systems run some variation of android with security patches from like 2015. You can find easy exploits online right now. If you think that's the hard part I've got some news for you...
The hard part is actually locating and getting access to the system in the first place, not actually hacking it - considering the backdoor access alphabet agencies have.
Shouldn't be too hard though with the might of the US intelligence, especially if you use a SIM card for your internet connection...
No backdoor into On-star?
Not into safety-critical systems. You could spy on someone, lock/unlock their car, or turn the engine on/off, but you're not gonna disable the brakes, lock the throttle wide open, disable the gear shift...
Only if they're self-driving. I'll never purchase a vehicle that doesn't have an entirely physical mechanism with, at most, digital assistance like antilock. Never will I have a "stay in your lane" assist-type-deal.
Engines have had drive by wire throttles for almost 20 years. Any car with a lane departure system, follow distance assist or a parallel parking assist has motors attached to steering and brakes. All computer controlled. The engine can be started, stopped, revved, redlined, or blown up and the car can be steered or braked.
I'm driving a 2000 Chrysler, haha. I'll definitely be keeping an eye out if I ever change vehicles :)
It will assist you right into a wall if your expendable. Ford had issue with slamming on auto brakes for eighteen wheelie chrome shiny shine.
With the antilock I'm familiar with, it's just digital assistance based on haptic feedback, without any kind of external stuff.
I mean sure if someone gets their hands on your vehicle they can do stuff, but just cut the brake line and be fine with it at that point
This video came out at an interesting time
https://www.youtube.com/watch?v=5CsD8I396wo